In December 2024, PowerSchool, a leading provider of K-12 education software, suffered a data breach that exposed sensitive information for over 62 million students and 9.5 million teachers. The company paid a ransom to the attackers, believing the data would be deleted. However, school districts later faced direct extortion attempts by the hacking group ShinyHunters, highlighting the risks of negotiating with cybercriminals1.
Breach Mechanics and Initial Response
The breach originated from compromised credentials belonging to a single PowerSchool employee account that lacked multi-factor authentication (MFA). Attackers used these credentials to access the company’s PowerSource support portal and exfiltrate data via an “export data manager” tool2. The stolen information included names, addresses, birthdates, and in some cases Social Security numbers (for less than 25% of affected individuals). Health alerts, locker combinations, and lunch balances were also compromised, according to reports from the Utah Schools for the Deaf and Blind3.
PowerSchool’s decision to pay the ransom was based on receiving a video showing data deletion. The company subsequently informed affected clients that they believed the data had been destroyed. However, this assurance proved premature when ShinyHunters began targeting school districts directly months later4.
Secondary Extortion and Systemic Failures
Despite PowerSchool’s ransom payment, multiple school districts received extortion demands from ShinyHunters in early 2025. North Carolina districts were among those asked for 25 Bitcoin (approximately $1.5 million at the time) to prevent public release of student data5. This development contradicted PowerSchool’s earlier assurances and demonstrated the unreliable nature of ransom negotiations.
A CrowdStrike audit revealed the breach resulted from basic security failures: missing MFA and weak credential hygiene. These findings were particularly notable given PowerSchool CEO Hardeep Gulati’s 2023 pledge at a White House event to improve cybersecurity measures6. The Future of Privacy Forum is currently reviewing whether PowerSchool violated its Student Privacy Pledge commitments.
| Metric | Value |
|---|---|
| Affected Students | 62.4 million |
| Affected Teachers | 9.5 million |
| States Affected | 40+ U.S. states |
| International Impact | Canada and other countries |
Educational Sector Vulnerabilities
The PowerSchool incident is part of a troubling pattern in the education sector. Since 2016, there have been over 325 ransomware attacks on U.S. schools according to nonprofit K12 SIX7. Notable recent cases include the 2023 Minneapolis Public Schools breach where 300,000 student files were leaked after the district refused to pay a ransom, and the Los Angeles Unified School District incident where 2,000 student records appeared on the dark web.
Educational institutions face unique challenges in cybersecurity. Budget constraints often limit IT resources, while the sensitive nature of student data makes schools attractive targets. The Granite School District breach in 2024, which exposed 450,000 records via malware, demonstrated how attackers exploit these vulnerabilities8.
Response and Recommendations
PowerSchool has offered two years of credit monitoring to affected individuals and implemented password resets, MFA enforcement, and dark web monitoring9. However, security experts emphasize that these measures should have been in place before the breach occurred.
For educational institutions and software providers, several key security practices can reduce risk:
- Enforce MFA across all administrative accounts
- Implement zero-trust access controls for sensitive systems
- Monitor dark web forums for leaked credentials
- Adopt extended detection and response (XDR) solutions
The PowerSchool breach serves as a cautionary tale about the limitations of ransom payments and the importance of proactive security measures. As the educational sector continues to digitize, robust cybersecurity practices must keep pace with technological adoption to protect sensitive student information.
References
- “PowerSchool paid a hacker’s extortion demand,” DataBreaches.net, May 7, 2025. [Online]. Available: https://databreaches.net/2025/05/07/powerschool-paid-a-hackers-extortion-demand
- “PowerSchool breach mechanics,” Sangfor Technologies, Jan. 15, 2025. [Online]. Available: https://www.sangfor.com/blog/cybersecurity/powerschool-breach-student-information-system-hack-exposes-data
- “PowerSchool hacker claims they stole data of 62 million students,” BleepingComputer, Jan. 22, 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/powerschool-hacker-claims-they-stole-data-of-62-million-students
- “PowerSchool paid ransom to hackers after breach,” Wall Street Journal, 2025. [Online]. Available: https://www.wsj.com/articles/powerschool-paid-ransom-to-hackers-after-breach-02d9d977
- “Audit findings on PowerSchool hack,” NBC News, Jan. 31, 2025. [Online]. Available: https://www.nbcnews.com/tech/security/powerschool-hack-data-breach
- “ShinyHunters’ extortion attempts,” BankInfoSecurity, Jan. 13, 2025.
- “Educational sector ransomware trends,” K12 SIX, 2025.
- “Recent school district breaches,” Sangfor Technologies, 2025.
- “PowerSchool response measures,” PowerSchool statement, 2025.
